Detecting Forged TCP Reset Packets

advertisement
Detecting Forged TCP Reset
Packets
Authors: Nicholas Weaver, Robin Sommer, Vern Paxon
Presented by: Anuj Kalia, Shashank Gupta
Abstract

Network administrators enforce usage restrictions by
terminating connections when deemed undesirable.

This is usually achieved by injecting artificial TCP Reset
packets into the network.

By exploiting the out-of-band nature of injected
packets, we can detect interference, and fingerprint the
injection device.
Motivation

To what degree can we detect when a network actively
disrupts communication?
Deployment of RST injectors:
 Great Firewall of China: terminates Internet
connections deemed undesirable by the Chinese
government.

Restricting P2P traffic: practiced by multiple ISPs
(Comcast), particularly to block bulk transfers such as
those of BitTorrent.
Techniques used to block
communication

Assumption: A traffic monitor inspects TCP flows for
violation of network policy, and instructs a connection
terminator to stop identified flows.

Difference compared to a traditional firewall: All flows
are initially allowed through.
◦ Potential blocking decisions are taken later.
Techniques used to block
communication

Assumption: A traffic monitor inspects TCP flows for
violation of network policy, and instructs a connection
terminator to stop identified flows.
Devices to terminate flows:
 Inline devices: the device ceases to forward packets
associated with the flow: a performance bottleneck.

Out of path devices are hence preferred.
Techniques used to block
communication
Out of path blocking methods
1. Instruct an in-path device, such as a router, to block
the flow.
2. Inject forged TCP FIN packets, one in either direction.
3. Inject forged TCP RST packets, in one direction.
The techniques discussed should work with all out-ofband flow termination because passive monitoring
faces race conditions.
Detection Toolbox
Each detector targets a situation that is likely to indicate
the presence of one or more injected RST packets.
1. RST_SEQ_DATA:
a) The injector sees a data packet that triggers its
decision to terminate the connection. After some
time it sends out a fake RST packet.
b) During this interval, more packets from the sender
may pass the injector’s observation point.
c) Receiver gets an RST packet with sequence number
less than expected.
Detection Toolbox
Each detector targets a situation that is likely to indicate
the presence of one or more injected RST packets.
1. RST_SEQ_DATA:
seq no =42
Detection Toolbox
Each detector targets a situation that is likely to indicate
the presence of one or more injected RST packets.
1. RST_SEQ_DATA:
seq no=50
Detection Toolbox
Each detector targets a situation that is likely to indicate
the presence of one or more injected RST packets.
1. RST_SEQ_DATA:
RST,
Seq no=42
Detection Toolbox
Each detector targets a situation that is likely to indicate
the presence of one or more injected RST packets.
2. DATA_SEQ_RST:
a) At the time RST is injected, further packets are
already in flight, or will be sent soon: the sender is
not yet shut down!
b) The receiver will see data packets from the sender
after it has received the RST.
Detection Toolbox
Each detector targets a situation that is likely to indicate
the presence of one or more injected RST packets.
2. DATA_SEQ_RST
42
50
Detection Toolbox
3. RST_SEQ_CHANGE:
a) By sending multiple RSTs with increasing sequence
numbers, an injector increases the likelihood of
getting one through.
b) It faces the dilemma of having to pick a higher
sequence number without knowing what the source
will send.
c) Look for a back to back pair of RST packets, where
the 2nd has a higher sequence number than the 1st,
and exceeds the current sequence number.
Experiments
The detector was run by capturing traffic traces at:
1. ICSI (International Computer Science Institute)
2. UC Berkeley
3. Columbia University
4. George Mason University

By correlating the characteristics of injected RST
packets across datasets, a number of injectors were
identified.
Results
Sandvine RST injector:
 Comcast uses RST injection to manage P2P traffic, and
their devices have been purchased from Sandvine.

Fingerprint: Back to back pair of RST packets, for which
the 2nd one has a sequence number 12503 higher than
the 1st, and IPID increased by 1.

Comcast injection alerts came in bursts: 10 on Feb 9th,
23 on Feb 18th etc. These burst correspond to
excessive usage of P2P software by students.
Results
BezeqInt injector:

◦
◦
◦
Always uses IPID 16448
Differing TTL
Increments ACK number (?)

IPID 256 injector

Chinese Firewall injectors
◦
◦
◦
IPID 64 injector
IPID -26 injector
SEQ 1460 injector
QUESTIONS?
Download